In this paper, I will explore, compare, and contrast organizations utilizing internal (proprietary) and external (contract) security services, highlighting the many similarities and differences between the two approaches. Then, I will discuss how outsourcing physical and cybersecurity (infosec) can be effective or ineffective, as well as the reasoning behind my opinion. Finally, I will provide examples, real-world scenarios, and other contributing data to support my view that internal security services are far superior to relying on a third-party to safeguard both physical and digital assets, in addition to an organization’s policies, procedures, and business practices. With the following information, one can comprehend the multiple methods they can use to increase an organization’s defensive strategies, hiring processes, and management of both the tools and personnel required to reduce risk effectively.
Compare and contrast proprietary security and contract security services. What are the similarities? What are the differences?
With the dramatic rise in security and evolving business practices, the manner in which organizations secure both physical and digital assets has undergone dramatic changes to allow organizations to stay up-to-date with emerging dangers and threats. As more organizations are valuing the necessity for sophisticated security services, the method in which they fill security positions now varies from using proprietary (internal) or contract (external) personnel. While both types of staffing procedures can provide situation-specific strengths and weaknesses, they are similar in nature, yet managed differently.
Proprietary, defined as assets that are owned by an individual or business, merely indicates that the item is in possession of and managed by the organization in which it is a part of. A proprietary security service would be a company’s internal security department. As the personnel in a proprietary security department would be part of the organization, they would be selected by the same hiring managers as other members of the company, paid in the same manner, and work side-by-side with other individuals at the company. The proprietary method regarding physical security would be merely creating a security department within the organization and managed by a security supervisor, all who follow the organization’s rules, policies, dress code, and hiring processes.
The contract security service process would involve hiring an external, private company which would provide the staff, processes, and procedures necessary for securing the organization’s physical assets. As such, the contracted security employees would operate outside of the company, yet work hand-in-hand within the organization. All contract security staff would be managed by the external security company, whose leadership would communicate with the organization’s leadership. By using contract workers, the testing and verification of the worker’s skills, payment of services rendered, and all forms of paperwork, including hiring and firing, are all managed by the external security contractor.
Include discussions on outsourcing both physical and cybersecurity.
For cybersecurity, outsourcing security services is often accomplished by utilizing a managed services provider (MSP). An MSP maintains a client’s IT systems based on a subscription of services, meeting specific SLA requirements. While an MSP offers many advantages, their services can be quite costly; however, the peace of mind you feel knowing you are protected every time you hear about a new crypto attack, malware, or virus wreaking havoc, is well worth it. When it comes to IT, every part of the system, from an employee’s desktop computer to the server, are vital links in the chain; if one fails, the entire system is in jeopardy. By implementing an MSP’s 24/7 performance and QoS monitoring, critical data can always be at your fingertips, thanks to the remote services that many MSPs provide. Also, having your data backed up in multiple methods is necessary to increase redundancy. Many popular MSP’s backup managers are state of the art, offering both cloud and on-premises storage methods. Additionally, an MSP can provide virtual machine support, fast backup and recovery, as well as high security using private keys.
Automation is something we all strive for with today’s always-advancing level of technology. While having multiple IT technicians who are handy with scripting languages can achieve satisfactory outcomes with network management, utilizing an MSP allows you to obtain the same (if not better) results for a lower price. Furthermore, a highly-rated MSP can boost efficiency, self-heal errors, offer detailed reporting, and provide users with complete control of all automation aspects of the product.
One of the most feared IT duties is patch management. A poorly timed or faulty patch can cripple a network if not planned for accordingly, thus halting business for an unknown amount of time as IT technicians scramble to find a solution. With an MSP’s patch manager tools, patches and updates are automatically applied through a user-designed schedule, ensuring that software is kept up to date; this maximizes efficiency, as well as ensures that network equipment is equipped with the latest security defenses.
Visibility is everything in an MSP. Having an easy-to-use dashboard providing you with error reporting, employee internet histories, security overviews, device and capacity management, as well as helpdesk reports, empower a business with the tools it needs to manage and direct resources to their entire system adequately. Many of the larger MSPs have a detailed and expansive user interface that allows for smooth operation and unparalleled levels of accountability. Above all, security reigns supreme in an MSP. Many of MSP’s security software and processes provide users with top-tier security features that are very simple to deploy and manage. Some of these features include rules, signatures, behavioral-based scans, proactive notifications, enhanced firewalls, web content filtering, profiles and application controls, as well as reporting.
There are several advantages and disadvantages of using internal and outsourced infosec services, such as with an MSP. By having an internal infosec team, security staff develops a deep inner understanding of the company’s infrastructure and needs, offers immediate in-person support as opposed to waiting on an MSP to send a tech out to you, grows with your company and provides a personal touch, as well as provides internal security staff with the motivation to excel with bonuses, promotions, and raises. Having an in-house security department can, however, have a higher cost depending on the size of the team (salary, benefits, training, taxes, raises). If a member on an organization’s security department leaves, all of the knowledge they have leaves with them, whereas in an MSP, the experience of the company they are working with is shared amongst the security team. Also, it can be quite challenging to match the resources that an MSP will have when compared to an internal security department.
An MSP is excellent in that they are comprised of industry experts and specialists, offer an often-stable (and significantly reduced) monthly rate of cost, provide 24/7 (remote) availability, and their work is guaranteed to meet or exceed the predefined SLAs. MSPs can utilize their often top-of-the-line software to effortlessly deploy and manage new devices and users, as well as perform behavior-based scans and constant monitoring. However, there are several MSPs out there that fall victim to attacks themselves, are poorly rated regarding customer service, and can sometimes cost more than they protect.
In your mind, which is best? Fully explain why.
In my opinion, I don’t view completely outsourcing cybersecurity services as the optimal choice, due to the lack of a personal touch, the majority of remote-only functions, and the low motivation to help the company succeed. While some MSPs are highly-reviewed, can provide enhanced security settings and monitoring, as well accept the transfer of risk from the organization that hired them, I feel that some form of an internal infosec department must be maintained, even if it is just one person. I see, rather often, organizations utilizing MSPs in all of the wrong ways. The MSP’s point of contact with the organization they are working for tends to be someone not well-versed in the world of IT, and thus, end up paying for services they don’t need or even receive. Also, MSPs do most of their work remotely, trying to avoid sending in-person technicians; while this isn’t necessarily a rare or negative thing, typical day-to-day IT and security tasks can take forever for an MSP, and often, every time a technician from an MSP has to drive out and fix something in-person, there is a hefty charge.
I feel that cybersecurity should always be the responsibility of internal employees; however, the use of an MSP for specific tasks that require a high skill-level can be not only beneficial but necessary to defend against rising cyber threats and attacks. The practices of risk assessments, deterrence, mitigation, and transference can be challenging for an organization to fully comprehend, fund, and find skilled professionals to address. Relying on outsourcing complicated security tasks can allow internal security staff to focus on specific areas of infosec, although, I would never put my faith in an organization to be entirely responsible for ensuring an organization had adequate protection on its information assets.
Outsourcing an organization’s physical security, similar to outsourcing cybersecurity, has its benefits rely on the size of the organization. For smaller companies, finding, hiring, training, and managing an internal physical security department is a bit overkill. Instead, I feel that hiring an outside company to provide personnel and procedures to secure the physical locations of the organization, to be far superior and cost-effective. Unless the organization is quite large or deals with any extremely sensitive or government material, the use of an in-person security force wouldn’t necessarily need to be as robust as the technology and security practices it manages. With a state-of-the-art alarm system, physical barriers, and a proper surveillance system, a small staff of security guards can effectively monitor and respond to all incidents without fail. However, the larger the company and the more sensitive the data that it stores and processes, outsourcing security operations to a respectable external company would be ideal.
With the drastic changes to the methods utilized to secure organizations in recent years, the process of securing an organization’s physical and digital assets have evolved to meet rising confidentiality, availability, and confidentiality demands; as such, the process in which business’s select, hire, train, and manage security professionals has transformed as well. While proprietary and contract security services each have their strengths and weaknesses, deciding which is the most optimal for an organization truly depends on the situation at hand, including the size of the business, the assets it owns, the type of information/product it stores and processes, as well as the funding allotted for defensive strategies. As security professionals interested in management, understanding the multiple methods we can use to increase the protective layers of the organizations we secure is of utmost importance.
Fennelly, L. J. (2017). Effective Physical Security (5th ed.). Cambridge, MA: Elsevier.
McCrie, Robert. Security Operations Management (Third Edition). Butterworth-Heinemann.
Brady, S. (2017, December 19). Internal Personnel vs. Outsourcing the Management of Physical Security. Retrieved January 20, 2020, from https://totalsecurityadvisor.blr.com/emerging-issues-in-security/internal-personnel-vs-outsourcing-management-physical-security/.
Schneier, B. (1970, January 1). Schneier on Security. Retrieved January 20, 2020, from https://www.schneier.com/essays/archives/2002/01/the_case_for_outsour.html.
Karolewski, M. (n.d.). Security Outsourcing PowerPoint. Retrieved January 20, 2020, from http://www.iup.edu/WorkArea/DownloadAsset.aspx?id=61115&ei=S9FXVNuXINGGigLVtIDIAQ&usg=AFQjCNFfHBkagZtp75rnPqaD0WMrjTcYaQ&sig2=Ufnv7JUd-bxcHnHknMViSA&bvm=bv.78677474,d.cGE&cad=rja.
Hanks, G. (2016, October 26). Proprietary Vs. Contract Security Companies. Retrieved January 20, 2020, from https://smallbusiness.chron.com/proprietary-vs-contract-security-companies-78514.html.